Introduction
In an on-premise environment you have your WSUS Server, which manages and governs all updates for your machines (server and clients). Since Microsoft is shifting its portfolio to the cloud, they had to shift their Update services to. The management of updates for clients was integrated into Intune with the feature “Update rings“. The patching of servers was integrated into the IaaS-service “Automation Account”. This service was once called Update management. With the newly launched “Azure Update Management” the old one was rebranded to Azure Automation Update Management. It’s kinda confusing, I know…
The Azure Automation Update Manager depended on the Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), which will be retired in August 2024. Update Manager no longer depends on Azure Automation or Azure Monitor Logs. It offers many new features and functionalities like zero on-boarding, Azure Policy support, granular access control, role-based access control, and enhanced flexibility. Thus, it is recommended to move as quickly as possible to Azure Update Manager.
Azure Update Manager is designed to manage and govern updates for all Windows Server OS as well as Linux OS, including those in Azure, on-premises, and other cloud platforms. It allows monitoring Windows and Linux update compliance from a single dashboard and make real-time updates or schedule them within a defined maintenance window.
Prerequisites
Before enabling your machines for Update Manager, you need to ensure you have the necessary permissions to create and manage update deployments. For more information: Azure Update Manager overview | Microsoft Learn
Pricing
As everything in Azure, the service comes with a price tag. “Azure Update Manager is charged at a daily prorated value of $0.162/server/day. A machine enabled by Azure Arc would only be charged for the days when it’s connected and managed by Azure Update Manager.” (Azure Update Manager pricing, 27.02.24)
Deployment
The deployment of Azure Update Manager is quite easy. There are basically two things that need to be configured: periodic assessments and maintenance configuration.
To include an Azure VM in the Azure Update Manager, the periodic assessment must be activated. This can be done either directly via the VM menu pane or in the Azure Update Manager. If the periodic assessment is not activated, the following setting is disabled under the VM updates menu pane.
To activate the periodic assessment setting, click on “Update settings”.
An additional configuration window then opens. In this window, the periodic assessment must now be activated, and the patch orchestration set to “customer managed schedules”. A manually configured maintenance window can be defined afterwards.
After enabling the periodic assessment, the custom maintenance window has to be defined. Again, this can be done directly via the VM menu pane or in the Azure Update Manager. In this example, a maintenance window is only defined for a single VM. The targeting of the definition can be applied to other VMs later.
As with every resource, various details such as subscription, resource group etc. are specified to create a maintenance configuration. In addition, the maintenance scope, reboot settings and the schedule of the windows must be configured. This involves configuring which resources are to be updated, what the reboot behaviour of the virtual machine is and when the maintenance windows should be scheduled. In this example, I configured a maintenance window for a guest scope, as well as the reboots are carried out if necessary and the schedule to every second Tuesday of the month at 10 PM. The scheduled window is 3 hours and 55 minutes long (maximum configuration).
To target the maintenance configuration, you can either choose dynamic- or direct assignments to resources. With the dynamic assignment, you can only scope it on the subscription layer. Thus, I would recommend assigning the configuration to the VMs directly.
In the Updates tab, you can configure which type of updates should be installed. KB IDs can even be included or excluded here. By default, only Critical updates and Security updates are installed for Windows systems. I would recommend, that you also activate the following categories: Update rollups, Feature packs, Service packs, Definition updates (depending on the system and use case). With those settings, all “important” updates are installed automatically, e.g. Defender updates.
Afterwards, you can check to which VM the maintenance configuration was assigned. To do so, navigate to Azure Update Manager -> Machines. In column “associated schedules” the schedules are listed for each VM.
Alerting
It is also possible to set up alerting for various Azure Update Manager metrics. This is currently still in preview. The alerting mechanism is based on the Azure Monitor (alert rules and action groups). I personally, would recommend configuring the alerting. Especially in case of failed updates or failed maintenance windows. You can create the alert rules directly in the Azure Update Manager pane on the left side in the “Monitoring” section of the menu.
Source: Azure Update manager – Pricing | Microsoft Azure, About Azure Update Manager